.svg)
In summary: Stolen credentials from more than 86,000 Fortinet devices—many of which are used by companies for VPN access—have been compiled and distributed. For an SME using a FortiGate, the key step is not to panic but to quickly verify VPN accounts and change passwords.
What Happened
In mid-June 2026, researchers at Hudson Rock disclosed a database dubbed “FortiBleed”: a collection of login credentials associated with Fortinet firewalls and VPN gateways. Estimates vary by source, with between 74,000 and 86,644 devices affected in nearly 194 countries.
The U.S. agency CISA issued an alert on June 18 and then updated it on June 22 to refer users to Fortinet’s official recommendations. Not all of these credentials were obtained on the day of the leak: some came from devices compromised earlier in the year, sometimes through vulnerabilities that Fortinet had already patched but that remained unpatched in the field. The time lag between when a patch becomes available and when it is applied remains the weak point.
Does this apply to me?
You may be at risk if your company uses a FortiGate firewall with SSL VPN access for remote work or remote sites, especially if the administration interface or VPN portal remains accessible from the internet. The specific risk: a valid set of credentials allows an attacker to log in as a legitimate user without triggering any obvious alerts.
Here are a few things to look out for: VPN connections at unusual times, from countries where you don’t have employees, or accounts whose passwords haven’t been changed in a long time. If you’ve outsourced your network management to a service provider, ask them for written confirmation that your devices have been checked.
What to Do Now
Three actions, in order of priority:
- Reset the VPN and administrator passwords on your Fortinet devices, and terminate any active sessions. This is the step that neutralizes a credential that has already been compromised.
- Enable phishing-resistant two-factor authentication for VPN and admin access. A stolen password alone will no longer be enough to gain access.
- Review the login logs from the past few weeks to identify any unusual access, and apply the latest Fortinet patches if you haven't already done so.
If you don't have the in-house expertise to handle this equipment, this is exactly the kind of check that a managed services contract or a security provider should perform. A quick check is better than a delayed audit. Let's discuss this if you have any questions.
Not sure about your exposure?
Get an update from an IT Systems expert
A quick assessment of your exposure and the steps you should take. No obligation.
In a nutshell
FortiBleed isn't a spectacular new vulnerability, but a reminder that a stolen VPN credential opens a backdoor. Changing Fortinet passwords, enabling two-factor authentication, and reviewing logs are enough to mitigate most of the risk. With the right support, an SMB can resolve this in a matter of hours, without making a big deal out of it.
— Samir Amara, CEO — IT Systèmes
Frequently asked questions
Should we replace our Fortinet firewall? No. The hardware isn't the issue here; it's the exposed credentials. Resetting access credentials and applying patches is sufficient in the vast majority of cases.
We use a different VPN—are we safe? For this specific incident, yes. But the best practice remains the same: two-factor authentication and up-to-date passwords for all remote access.
.svg)